Alexander Boström (abo kth se) said:
> I think it can be off by default. To use it securely you should log in
> locally and look at or replace the host key anyway, so you might as well
> enable it at the same time. (But I guess people use SSH for
> better-than-nothing security, rather than checking host keys.)
Not everything has local console access - although, you could require
such instances to access via the serial console, or do various things
with kickstart.
Bill